The Newly Discovered Nerbian RAT Uses COVID-19 Lures and Bypasses Security Filters

ATTACK Simulator
3 min readMay 25, 2022

--

The Newly Discovered Nerbian RAT Uses COVID-19 Lures and Bypasses Security Filters

The Nerbian RAT (remote access trojan) is a novel malware with tons of features and evasion techniques to help it go unnoticed. The sneaky trojan uses COVID-19 lures, and it was spotted by Proofpoint.

The Nerbian RAT Spreading via Email

Threat actors are distributing the newly observed malware through a phishing email campaign using COVID-19 lures. Proofpoint discovered that Nerbian has many sophisticated features to avoid detection.

The trojan is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities,” a recent Proofpoint blog post wrote. “Go is an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use.”

Proofpoint researchers first discovered the RAT spreading via a low-volume email campaign beginning on April 26. They found that the operation impacted various sectors, mainly targeting companies located in Italy, Spain, and the UK.

“Starting on April 26, 2022, Proofpoint researchers observed a low volume (less than 100 messages) email-borne malware campaign sent to multiple industries. The threat disproportionately impacts entities in Italy, Spain, and the United Kingdom. The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19”, researchers noted.

Email claiming to be from WHO. Source: Proofpoint

Once you click on “please visit the attached document,” a malicious file containing COVID-19 safety precautions opens, and then you are asked to enable editing. What you’re actually about the enable are malicious macros. Once you do so, the document reveals the promised safety tips, but the macros-enablement also executes a macro that drops a file, which then performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit .exe file — UpdateUAV.exe.

Attached Word document. Source: Proofpoint

Sophisticated and Evasive

The Nerbian RAT “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” the post wrote.

The complex new malware uses multistage evasion tactics, working in three steps. First, it spreads via phishing, then it moves on to the UpdateUAV.exe dropper. The dropper then thoroughly checks the environment before executing the Nerbian RAT. If at least one of many criteria is not met, it will stop executing.

These criteria include: the size of the hard disk on the compromised system is more than a certain size; the name of the hard disk, according to WMI, contains “virtual,” “vbox” or “vmware;” the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list, according to Proofpoint.

The execution also stops if the DumpIt.exe, RAMMap.exe, RAMMap64.exe or vmmap.exe memory analysis/memory tampering software are found in the process list; and if the amount of time elapsed execution specific functions is considered “excessive” — which would point to debugging.

Researchers found that the novel Nerbian RAT relies heavily on evasion and not so much on obfuscation. “The dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” the blog post said.

The trojan is executed through an encrypted configuration file. Its capabilities include encrypted communication with C&C (command-and control) and keylogging, and screen-capturing features that work on all operating systems.

The Need For Security Awareness Training

Phishing is one of the heaviest issues of today’s online world. Unfortunately, your employees are the weakest link in the chain and scammers will bombard them with phishing emails all the time.

Your staff is your first line of defense against phishing attacks, so you need to be able to rely on their vigilance. To achieve it, make it a priority to implement security awareness training in your company. A robust and extensive program will teach them everything they need to know to stay off the hook.

Educate your employees on phishing and how to combat it with the help of one of our comprehensive Security Awareness Training plans.

Get your quote today.

Sources:

Threatpost Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

Proofpoint Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques

Attribution:

Feature Image: Photo by CDC on Unsplash

--

--

ATTACK Simulator

We’re a fresh startup that aims at creating a culture of security in every company by teaching security awareness through automated phishing simulations.